Subject |
This guide describes how to install and configure Enterprise Access Management (EAM); which gathers Authentication Manager and Enterprise SSO modules. | ||
Audience |
This guide is intended for:
| ||
Required Software |
EAM 9.0 evolution 2 and later versions. For more information about the versions of the required operating systems and software solutions quoted in this guide, please refer to One Identity EAM Release Notes. | ||
Typographical Conventions |
Bold Indicates:
| ||
|
Italics - Indicates references to other guides. | ||
|
Code - Indicates portions of program codes, command lines or messages displayed in command windows. | ||
|
CAPITALIZATI ON Indicates specific objects within the application (in addition to standard capitalization rules). | ||
|
< > Identifies parameters to be supplied by the user. | ||
|
| ||
|
| ||
|
| ||
Documentation support |
The information contained in this document is subject to change without notice. As our products are continuously enhanced, certain pieces of information in this guide can be incorrect. Send us your comments or suggestions regarding the documentation on the One Identity support website. |
Enterprise Access Management solution enables you to deploy a high level of security. It uses the corporate LDAP directory of your company to manage Single Sign-On (SSO) on this distributed LDAP architecture. Enterprise Access Management also provides Single Sign-On in the Cloud, allowing to save SSO data in the Cloud instead of the LDAP directory of your company.
This guide explains how to install Enterprise Access Management, or EAM, (EAM gathers Authentication Manager and Enterprise SSO modules).
EAM is composed of several software applications, which run through a middleware, called the EAM Security Services. It is a Windows service, which is automatically installed during the EAM installation process. It provides the following services:
|
IMPORTANT: The EAM applications do not run directly with the LDAP directory of your company with your users’ tokens. All the operations are performed by the Security Services, in a secure system environment. |
The Security Services work directly with the corporate LDAP directory, except for the audit and administration services, for which it can use the EAM Controller.
Enterprise SSO is the single sign-on (SSO) engine. It is installed on the client workstations. This software module offers many optional components.
Authentication Manager software module allows you to enforce users’ authentication and to use other authentication sources than Active Directory. When installed, it is used instead of the standard Windows log on dialog box.
Authentication Manager allows users to log on their workstation using several authentication methods, as login/password, smart cards, biometrics or mobile phone authentication methods.
It allows you also to manage primary authentication policies: authentication methods authorized by workstations or by users.
The EAM Controller is an administration server that enables the management of administration profiles.
The administration actions are not directly sent from the workstations to the LDAP account of the EAM administrator, but through the EAM Controller: upon the EAM installation, you will have to define an LDAP account that will be used by the EAM Controller to perform any EAM administration action on the LDAP directory.
You do not have to set different ACLs depending on the EAM administrators. You just have to set ACLs only once, on the LDAP account used by the EAM Controller, which manages the administration requests depending on the administration profiles defined using EAM Console.
The EAM Controller runs also as the EAM audit server. It retrieves audit information of the EAM workstations in an SQL database. The pieces of audit data are available through EAM Console, either globally, or contextually (that is depending on the selected audited EAM object).
EAM Console is a centralized administration and audit consultation tool that can be installed on any EAM workstation client. This administration console allows you also to define extended security policies by managing Access Points, and by defining authentication scheduling.
|
NOTE: For details on supported authentication devices, see One Identity EAM Release NotesReplace this text with a description of a feature that is noteworthy. |
To update EAM or one of its components, run the installation through the Administration Tools window (see Starting the Administration Tools window) and re-install the wanted component(s): it(they) will be automatically updated.
The following illustration details the different interactions between the different components of the EAM software suite, the corporate LDAP directory and applications.
The Security Services components are installed on the EAM workstations (end-user and administration workstations). They are running as client of the EAM Controller to carry out the following functionalities:
It allows EAM users to authenticate to their corporate LDAP directory, either using their usual authentication interface, or using Authentication Manager if installed on the workstation.
The authentication allows EAM users to:
The EAM Controller gathers all the audit events sent by the EAM workstations in an SQL database.The link between the EAM workstations and the EAM Controller is secure (SSPI). An audit cache located on the EAM workstation manages network flows and stores the audit events if the workstation is disconnected from the network.
In disconnected mode, the administration actions are no longer carried out by the EAM applications (through the Security Services running as client of the EAM Controller), but directly by the EAM Controller.
The following illustration details the different interactions between the different components of the EAM software suite, the Cloud and applications.
Only Enterprise SSO is installed on the user’s workstation, along with the E-SSO cache. Instead of being stored in the company’s LDAP directory, the SSO data as well as the other components are stored in the Cloud.
|
IMPORTANT: To create technical definitions on applications available on customer site only, Enterprise-SSO in registry mode is mandatory. |
The user authenticates with his e-mail address and his Cloud password; the latter is locally stored on his workstation. The user has to enter it only once per workstation.
|
NOTE:
The password can also be stored encrypted in the LDAP directory by activating the following registry key on the client workstation: HKLM\SOFTWARE\Policies\Enatel\SSOWatch\CommonConfig\ The SSO data is then downloaded through an HTTPS request sent to a Web service. The URL of this Web service is written during the installation under the following registry value: HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\SSOWatch\CommonConfig\DefaultCloudServer REG_SZ The SSO Data is stored in C:\Users\username\AppData\Local\Evidian\EAM. For more information on installing Cloud E-SSO, see Installing Cloud E-SSO. |
Since EAM works directly with the directory in place to deploy the SSO policies, you must take into account your directory infrastructure before starting the installation process. The following sub-sections introduces EAM concepts related with directory infrastructure, and provides examples that may correspond to your situation.
Depending on your LDAP directory infrastructure, you may not want to modify the schema of your corporate LDAP directory. In this case, it is possible to separate the storage of the EAM data.
|
NOTE: This feature is available with some of the LDAP directories supported by EAM. For details, see One Identity EAM Release Notes. |
For example, if you are using an Active Directory infrastructure, you can use an AD LDS (formerly named ADAM) directory to store the EAM configuration and the SSO data. In this mode, the Active Directory service is the identities directory, and AD LDS is an EAM dedicated directory used to store EAM data.
|
NOTE: The authentication process is not modified, as a user who authenticates to an Active Directory service can authenticate to an AD LDS service using the same credentials, through the Kerberos SSO mechanisms. |
The following illustration shows an EAM architecture using an Active Directory service combined with an EAM dedicated AD LDS (formerly named ADAM) infrastructure.
This section introduces two EAM specific concepts dealing with Active Directory infrastructures: inter domain and multi domain.
|
NOTE:These concepts imply that your directory infrastructure is not a single domain infrastructure. |
The inter domain concept refers to the EAM users. It consists in setting up EAM so that a user of one domain can authenticate on workstations of another domain.
For example, to set up EAM inter domain, you must follow the following requirements:
The multi domain concept refers to the EAM administrators. It consists in setting up EAM so that an EAM administrator can manage several domains at the same time using the EAM administration console.
The following illustration shows an EAM solution running in a multi domain configuration.
|
NOTE: Inter-domain can exist in a multi-domain configuration. |
For an example of AD+AD LDS multi domain infrastructure, see Active Directory + AD LDS Infrastructure.
Consider the following Active Directory infrastructure:
In this organization, the Active Directory infrastructure consists of the following:
This example shows an Active Directory infrastructure designed to set up EAM multi domain. You can see that:
The following example shows an Active Directory infrastructure combined with an EAM dedicated AD LDS infrastructure. You can see that there is one AD LDS instance for one Active Directory domain.
The following example infrastructure shows an AD LDS infrastructure with AD multi domain.
To implement the EAM environment, you have to create objects used by EAM in the LDAP directory. These objects will allow you to create security rules and to store the users’ single sign-on data. These pieces of data are ciphered.
EAM supports the following types of LDAP directory for storing user security data:
|
NOTE:For information on the supported versions of the listed LDAP directories, see One Identity EAM Release Notes. |
Depending on your Active Directory infrastructure, you may have to install several types of EAM Controllers. This section describes a multi domain architecture example. This may help you define your own software architecture depending on your requirements.
There are three types of controllers that you can or must install depending on your needs:
The above illustration shows a multi-domain software architecture that uses four EAM Controllers (two controllers per domain) and a Master Audit Database:
|
NOTE: By default, the Master Database is an SQL server. This audit base can be hosted on other databases than SQL Server. The list of databases for which this feature is supported is detailed in One Identity EAM Release Notes. |
This example of architecture allows administrators to manage users that reside in different LDAP domains, and they can switch users from one domain to another in the forest. The secondary controllers provide high-availability.
To set the EAM software architecture described above, do the following:
For Active Directory, Evidian provides a schema management tool that allows you to:
The modifications to the Active Directory schema for EAM have been designed to be least intrusive as possible:
|
NOTE: You do not have to restart your computer.. |
So make sure you have a user account in the Active Directory forest which allows you to:
|
NOTE: You are advised to use only one account that is at the same time member of the Schema Admins and of the Domain Admins groups. If it is not possible (depending on your Active Directory design), you can use two different accounts. |
|
NOTE:
|
|
|
|
IMPORTANT: If you are installing EAM in multi-domain mode, read the following:
|
The EAM installation window appears.
|
NOTE: If the window does not appear, do the following:
|
The Administration Tools interface appears:
IAM Active Directory Setup Tool starts.
Step |
When this window appears… |
Do the following |
|
| |
2 |
|
Click Next. |
3 |
|
Click Next. |
4 |
|
Click Yes. |
5 |
|
At this step, the Active Directory schema extension is done. Click Next. |
6 |
|
At this step, you have two possibilities: |
|
| |
|
| |
|
| |
10 |
|
|
11 |
|
|
12 |
|
|
13 |
|
|
|
If you have created a Local Group to gather the technical accounts used by the EAM controller (for more information, see Before Starting above), select Give some administration profiles to a group of the domain and enter the Group name. Then, select the Controller Server Account check box and click Next. Otherwise, see Step 17. | |
15 |
|
|
16 |
|
|
|
| |
18 |
|
If you want to set ACLs on another domain (inter-domain or multi-domain infrastructures), or if you want to modify a configuration, select Configure another domain and click Next (see Step 8). Else, select Exit this program and click Exit. |
|
NOTE: During the existing schema validation phase, objects that use EAM object identifiers may be detected. If this is the case, software from other suppliers that do not adhere to Microsoft’s recommendations for extending the Active Directory schema may have been installed. In these circumstances, contact the One Identity support center. |
|
IMPORTANT: This task is optional and may be done only if the directory repository has not been installed and configured in a standard way. |
It is recommended to set indexes on both standard attributes and EAM specific attributes.
You must know how to set indexes manually.
It is strongly recommended to index the following attributes:
When using a custom LDAP attribute stored on the authentication token, this attribute must be indexed for presence and equality searches.
When searching users to which delegate an account, several attributes are used to search the directory using a substring match. These attributes must be indexed for substring search. By default, the attributes used are:
Since administrators can change the attributes used for this search by modifying the UserSearchFilter registry value, check if the attributes you choose are indexed.
The following specific attributes must be indexed:
If you plan smart card authentication, set the following attributes:
If you plan cluster management, index the enatelPrettyName attribute (used for the alias feature) for performance reasons.
If you want to use Web Access Manager with EAM, set the following attributes:
With Active Directory, EAM uses automatically the most secure available method. No configuration is needed.
Microsoft Active Directory Lightweight Directory Services (AD LDS) is an LDAP directory service that runs as a user service, rather than as a system service.
The use of AD LDS with EAM allows you to store all EAM data (configuration objects, user security data, access information and so on) in the AD LDS directory, while the users data remains in the enterprise Active Directory. In this case, no modification is made to the Active Directory (no schema extension, no ACL modification or object creation.)
This section explains how to extend the schema of AD LDS and set some access control rules (ACL).
If you want to work in a multi domain AD LDS environment, you must first install all the necessary AD domain controllers and then install the AD LDS directory.
The above illustration shows a multi-domain software architecture that uses two EAM Controllers and a Master Audit Database:
|
NOTE: By default, the Master Database is an SQL server. However, this audit base can be hosted on other databases than SQL Server. The list of databases for which this feature is supported is detailed in One Identity EAM Release Notes. |
This example of architecture allows administrators to manage users that reside in different LDAP domains, and they can switch users from one domain to another in the forest. The secondary controller provides high-availability.
To set the EAM software architecture described above, do the following:
|
NOTE: For more information on supported versions and operating systems on which it can be installed, see One Identity EAM Release Notes. |
Parameters:
Wizard Window Name |
EAM Requirements |
"Setup Options" |
Choose Unique instance. |
"Application Directory Partition" |
Choose Yes |
"ADAM Administrators" |
An AD LDS administrator is an account with control over the AD LDS instance.
|
"Importing LDIF Files" |
Import all LDIF files. The MS-User.LDF file is mandatory. |
Restrictions:
|
NOTE: For more information on how to create an AD LDS instance, please refer to the Microsoft website and documentation. |
In a command line console, change to the %WINDIR%\ADAM directory and type the following command for each of the provided LDIF files:
ldifde -i -v -k -s <host:port> -f <file.ldif> -c "CN=Schema,CN=Configuration,DC=X" #schemaNamingContext -b <user> <domain> <password>
|
IMPORTANT: Do not replace the following string: "CN=Schema,CN=Configuration,DC=X".. |
Where:
String |
Description |
<host:port> |
The AD LDS server hostname and TCP port. |
<file.ldif> |
The provided ldif file, which is located in the TOOLS\ESSODirectory\AD LDS (users in AD) directory. |
<user> |
The user name of the AD LDS administrator chosen during the instance installation. |
<domain> |
The NetBios domain of the user. |
<password> |
The user password. |
|
NOTE: ldifde is located in the %WINDIR%\ADAM directory. |
Once you have run the command for each of the LDIF files, the AD LDS schema is extended.
The Windows account you chose when setting the AD LDS instance to be the administrator of this instance (see the Before Starting of Preparing the Storage of Security Data in the LDAP Directory) must have the SE_RESTORE_NAME privilege in the local computer policy. To do so, set this account in the Backup Operators local group of the local computer.
You must set some access control rules on the partition, for the domain users to store and retrieve data in AD LDS. For that, the ACL-ADAM-EXTMGR.cmd file is provided in the Authentication Manager or Enterprise SSO installation package.
The following standard attributes must be indexed:
The following EAM specific attributes must be indexed:
If you plan smart card authentication, set the following attributes:
If you want to use Web Access Manager with EAM, set the following attributes:
With AD LDS, EAM uses automatically the most secure available method. No configuration is needed.
|
IMPORTANT: The configuration of EAM Services with an OpenLDAP directory requires advanced skills and integration service is required. Please contact One Identity services at srv-expertise@one identity.com. |
To extend the schema of an existing OpenLDAP directory, the wiseguard.schema file is provided on the Authentication Manager or Enterprise SSO installation package, in TOOLS\ESSODirectory\OpenLDAP.
Include the EAM schema definition after the standard schema definitions by adding the following command line in slapd.conf:
include <file path>/wiseguard.schema
To position ACLs on an OpenLDAP directory, use the wiseguard-em.acl file located on the Authentication Manager or Enterprise SSO installation package, in TOOLS\ESSODirectory\OpenLDAP.
If you want to authenticate as an administrator in EAM, you must create a user or a group of users and give it administration rights in the directory.
Edit slapd.conf to set your ACLs, with the following guidelines:
The following example shows configuration parameters to enter to integrate the EAM rules into existing rules.
# reading the rootDSE special entry
access to dn.base="" by * read
# authentication
access to attrs=userPassword
by dn="cn=administrateur,dc=evidian,dc=fr" write
by groupdn="cn=administrateurs,dc=evidian,dc=fr" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=administrateur,dc=evidian,dc=fr" write
by groupdn="cn=administrateurs,dc=evidian,dc=fr" write
by self write
by * break
# the ACL WG
include <file path>/wiseguard-em.acl
access to * by * read
The following standard attributes must be indexed:
When using a custom attribute stored on the authentication token, this attribute must be indexed for presence and equality searches.
When searching users to which delegate an account, several attributes are used to search the directory using a substring match. These attributes must be indexed for substring search. By default, the attributes used are:
Since the administrator can change the attributes used for this search by modifying the UserSearchFilter registry value, he has to check if the attributes he chooses are indexed.
To set the indexes definitions for EAM specific attribute types, open the wiseguard-extmgr.indexes file. This file is located in TOOLS\ESSODirectory\OpenLDAP (in the Authentication Manager or Enterprise SSO installation package). Just include it in your slapd.conf configuration file.
|
IMPORTANT: As the indexes are subsequently changed, the directory needs to be re-indexed using slapindex with the following guidelines:
|
You can combine EAM with a SAMBA domain controller storing its data in an OpenLDAP server.
We provide slapd-samba-extmgr-sample.conf, a sample OpenLDAP configuration file showing how to integrate EAM ACLs and SAMBA ACLs. This file is located in TOOLS\ESSODirectory\OpenLDAP (in the Authentication Manager or Enterprise SSO installation package).
SAMBA manages its own computer objects. In order that ESSO uses the SAMBA computer objects, instead of creating new ones, you must enable integration of SAMBA computer objects in EAM. See EAM Configuration with a User Database or Directory other than Microsoft Active Directory in Configuring Workstations.
SAMBA uses non-standard LDAP group entries, using the posixGroup objectClass, which is not handled by EAM in the default configuration. For EAM to use the SAMBA group objects, you must enable integration of SAMBA group objects in EAM. See EAM Configuration with a User Database or Directory other than Microsoft Active Directory in Configuring Workstations.
If passwords are synchronized from the SAMBA controller to the OpenLDAP server (and not from OpenLDAP to SAMBA), you must enable password synchronization from the SAMBA controller to the OpenLDAP server in EAM. Thus, when a user changes his password, the password change operation will then use Microsoft APIs calls to the SAMBA controller, and not LDAP request to the OpenLDAP server, which would have caused a password desynchronization between SAMBA and OpenLDAP. See EAM Configuration with a User Database or Directory other than Microsoft Active Directory in Configuring Workstations.
With OpenLDAP, EAM supports DIGEST-MD5 SASL mechanisms. This section explains how to configure EAM for DIGEST-MD5 with OpenLDAP.
Configure OpenLDAP for DIGEST-MD5: you must configure the matching between SASL authentication identity and directory users. For an authentication based on the uid attribute, you must put the following directives in the slapd.conf file:
sasl-regexp
uid=(.*),cn=digest-md5,cn=auth
ldap:///dc=evidian,dc=fr??subtree?(uid=$1)
|
NOTE: With OpenLDAP using DIGEST-MD5 implies that user passwords are stored in clear text in the directory. |
In the Windows registry set the following value (DWORD type) to 1:
HKLM/Software/Enatel/WiseGuard/FrameWork/Directory/LdapAuthMethod
This section describes how to configure your LDAP directory to secure authentication information and other sensitive EAM data transmitted on the network.
EAM supports TLS and SSL, but it is strongly recommended to configure your LDAP directory to support TLS.
In the Windows registry, under the HKLM/Software/Enatel/WiseGuard/FrameWork/Directory key, configure TLS with the following values:
|
IMPORTANT: It is strongly recommended to set the TLS value to 2. |
|
NOTE: A certificate is public data that does not need to be protected. |
To extend the schema of an existing iPlanet/Sun Java System/Red Hat/Fedora Directory Server, a file is provided on the Authentication Manager or Enterprise SSO installation package, in TOOLS\ESSODirectory\Oracle DSEE - RedHat DS - 389 DS\wiseguard-schema.ldif.
|
IMPORTANT: The configuration of SSO for Java requires advanced skills. To deliver SSO access to Java applications, integration service is required. Please contact One Identity services at srv-expertise@one identity.com.. |
To extend the schema, the user needs to have the permission to create new objects.
Extend the schema by typing the following command:
ldapmodify -h <host> –p <port> -D <administrator DN> -w <administrator password> -f wiseguard-schema.ldif
Where:
String |
Description |
<host> |
LDAP server hostname. |
<port> |
TCP port number of the LDAP server instance you want to configure. |
<administrator DN> |
DN of the instance administrator. |
<administrator password> |
Password of the instance administrator. |
The procedure is different depending on the data model you want to store EAM data. If you want to store EAM data in:
In this mode, EAM data is stored in your corporate naming context.
If you want to authenticate in EAM as an administrator, you must create a user or a group of users and give it administration rights in the directory.
Replace ##SUFFIX## with the Distinguished Name of your corporate naming context.
ldapmodify -h <host> –p <port> -D <administrator DN> -w <administrator password> -f wiseguard-ACL-extmgr.ldif
Where:
String |
Description |
<host> |
LDAP server hostname. |
<port> |
TCP port number of the LDAP server instance you want to configure. |
<administrator DN> |
DN of the instance administrator. |
<administrator password> |
Password of the instance administrator. |
In this mode, EAM data is stored in a dedicated naming context. The ACLs are set on this naming context.
|
IMPORTANT: Before carrying out the following procedure, create the EAM default objects, as described in Running the Default Objects Creation Tool.. |
If you want to authenticate in EAM as an administrator, you must create a user or a group of users and give it administration rights in the directory.
|
NOTE: To know the value of this DN, you must have previously created the EAM default objects. By default the value of this DN is: ou=IAMForeignObjects,ou=Default, ou=ESSO,<dedicated suffix>. |
Apply the modification by typing the following command line:
ldapmodify -h <host> –p <port> -D <administrator DN> -w <administrator password> -f wiseguard-ACL-cooperativemode-extmgr.ldif
Where:
String |
Description |
<host> |
LDAP server hostname. |
<port> |
TCP port number of the LDAP server instance you want to configure. |
<administrator DN> |
DN of the instance administrator. |
<administrator password> |
Password of the instance administrator. |
The following standard attributes must be indexed:
|
IMPORTANT: Set these attributes in the corporate and in the EAM dedicated naming contexts. |
When using a custom attribute stored on the authentication token, this attribute must be indexed for presence and equality searches.
|
IMPORTANT: Set this attribute in the corporate naming context only. |
When searching users to which delegate an account, several attributes are used to search the directory using a substring match. These attributes must be indexed for substring search.
|
IMPORTANT: Set these attributes in the corporate naming context only. |
By default, the attributes used are:
Since the administrator can change the attributes used for this search by modifying the UserSearchFilter registry value, he has to check if the attributes he chooses are indexed.
The following EAM specific attributes must be indexed:
|
IMPORTANT: Set these specific attributes in the EAM dedicated naming context only. |
If you plan smart card authentication, set the following attributes:
If you want to use Web Access Manager with EAM, set the following attributes:
With Netscape iPlanet/Sun Java System/Red Hat/Fedora Directory Server, EAM supports DIGEST-MD5 SASL mechanisms. This section explains how to configure EAM for DIGEST-MD5 with Netscape iPlanet/Sun Java System/Red Hat/Fedora Directory Server.
|
IMPORTANT: This task is optional. Carry out the following procedure only if required. |
Configure iPlanet/Sun Java System/Red Hat/Fedora Directory Server for DIGEST-MD5.
Depending on your directory version, to secure authentication in EAM it may be necessary to modify the password encryption method, so that the user password can be stored in clear text in your directory.
In the Windows registry set the following value (DWORD type) to 1:
HKLM/Software/Enatel/WiseGuard/FrameWork/Directory/LdapAuthMethod
This section describes how to configure your LDAP directory to secure authentication information and other sensitive EAM data transmitted on the network.
EAM supports TLS and SSL, but it is strongly recommended to configure your LDAP directory to support TLS.
In the Windows registry, under the HKLM/Software/Enatel/WiseGuard/FrameWork/Directory key, configure TLS with the following values:
|
IMPORTANT: It is strongly recommended to set the TLS value to 2 |
|
NOTE: A certificate is public data that does not need to be protected. |
To extend the schema of a Novell eDirectory, the file wiseguard-schema.ldif is provided in the directory TOOLS\ESSODirectory\Novell eDirectory of the Authentication Manager or Enterprise SSO installation package. This contains the definition of the Evidian objects.
Extend the schema using one of the following commands:
ldapmodify -c -h <host> -p <port>
-D <super-user DN> -w <super-user password>
-f wiseguard-schema.ldif
or:
ice -S LDIF -f wiseguard-schema.ldif
-D LDAP -s <host> -p <port>
-d <super-user DN> -w <super-user password>
Where:
To enable EAM account delegation, users must be able to search the directory for other users. The file wiseguard-delegation-ACL.ldif in the directory TOOLS\ESSODirectory\Novell eDirectory of the Authentication Manager or Enterprise SSO installation package is used to give the necessary access rights for this operation.
|
NOTE: This procedure can be performed at any time. |
ldapmodify -x -h <host> -p <port>
-D <super-user DN> -w <super-user password>
-c -f wiseguard-delegation-ACL.ldif
or:
ice -S LDIF -c -f wiseguard-delegation-ACL.ldif
-D LDAP -s <host> -p <port>
-d <super-user DN> -w <super-user password>
Where:
The following standard attributes must be indexed:
When using a custom attribute stored on the authentication token, this attribute must be indexed for presence and equality searches.
When searching users to which delegate an account, several attributes are used to search the directory using a substring match. These attributes must be indexed for substring search. By default, the attributes used are:
Since the administrator can change the attributes used for this search by modifying the UserSearchFilter registry value, he has to check if the attributes he chooses are indexed.
The following specific attributes must be indexed:
With Novell eDirectory, EAM supports the following SASL mechanisms:
This section explains how to configure EAM for DIGEST-MD5 and NMAS with Novell eDirectory.
|
IMPORTANT: It is strongly recommended to use the NMAS mechanism.This task is optional. Carry out the following procedure only if required. |
To use NMAS authentication, the Novell NMAS Client software must be installed on your EAM Controller.
In the Windows registry, set the DWORD value HKLM/Software/Enatel/WiseGuard/FrameWork/Directory/LdapAuthMethod as follows:
This section describes how to configure your LDAP directory to secure authentication information and other sensitive EAM data transmitted on the network.
EAM supports TLS and SSL, but it is strongly recommended to configure your LDAP directory to support TLS.
In the Windows registry, under the HKLM/Software/Enatel/WiseGuard/FrameWork/Directory key, configure TLS with the following values:
|
IMPORTANT: It is strongly recommended to set the TLS value to 2. |
|
NOTE: A certificate is public data that does not need to be protected. |
To extend the schema of an IBM Tivoli Directory Server, two files are provided on the Authentication Manager or Enterprise SSO installation package, in TOOLS\ESSODirectory\IBM Tivoli Directory Server:
|
IMPORTANT:User objects must possess the enatelUser auxiliary class to be able to use EAM. |
This section explains how to set ACLs on an IBM Tivoli Directory Server.
|
IMPORTANT: Users must possess the following entry in their ACL (ibm-filterAclEntry attribute): id:<DN>:(objectClass=*):object:ad:system:rsc:normal:rws c:restricted:rwsc:sensitive:rwsc Where the <DN> string must be replaced with the user DN. |
To set EAM access permissions on the directory, apply the following LDIF file on the directory root:
dn: <DNSuffixe>
changetype: modify
add: ibm-filterAclEntry
ibm-filterAclEntry: group:CN=ANYBODY:(objectClass=*):system:rsc:restricted:rsc:normal:rsc
ibm-filterAclEntry: group:CN=AUTHENTICATED:(objectClass=enatelSSOStorage):object:a
ibm-filterAclEntry: group:CN=AUTHENTICATED:(&(objectClass=enatelSSOAccount)(enatelAccountType=3)):object:d:system:rsc:normal:rwsc:restricted:rwsc:sensitive:rwsc
ibm-filterAclEntry: access-id:CN=THIS:(objectClass=inetOrgPerson):at.userPassword:w
ibm-filterAclEntry: access-id:CN=THIS:(objectClass=enatelComputer):at.userPassword:w
Where:
The <DNSuffixe> string must be replaced with the directory suffix.
On IBM Tivoli Directory Server, indexes are set during the schema extension.
With IBM Directory Server, EAM supports DIGEST-MD5 SASL mechanisms. This section explains how to configure EAM for DIGEST-MD5 with IBM Directory Server.
With IBM Tivoli Directory Server, it implies that user passwords are stored in clear text in the directory or with the iMask symmetrical encryption.
In the Windows registry set the following value (DWORD type) to 1:
HKLM/Software/Enatel/WiseGuard/FrameWork/Directory/LdapAuthMethod
This section describes how to configure your LDAP directory to secure authentication information and other sensitive EAM data transmitted on the network.
EAM supports TLS and SSL, but it is strongly recommended to configure your LDAP directory to support TLS.
In the Windows registry, under the HKLM/Software/Enatel/WiseGuard/FrameWork/Directory key, configure TLS with the following values:
|
IMPORTANT: It is strongly recommended to set the TLS value to 2. |
|
NOTE: A certificate is public data that does not need to be protected. |
EAM requires that EAM users have a unique directory attribute that distinguishes each from the others. For Atos DirX Directory, this attribute is the LDAP uid attribute.
E-SSO account entries must be of LDAP object class inetOrgPerson.
The DirX Directory schema must be extended to allow the creation of EAM objects. The TOOLS\ESSODirectory\Atos DirX Directory\esso-dirx-schema.ldif file in the EAM installation package contains the schema modifications.
Extend the schema by executing the following command on the DirX Directory workstation:
dirxmodify -h <host> -p <port> -D <administrator DN> -w <administrator password> -f esso-dirx-schema.ldif -v -e error.txt
where:
|
NOTE: After executing the command, check the error.txt file for possible error messages. |
To give the necessary permissions to EAM users, EAM ACLs must be set in the Atos DirX Directory.
|
NOTE: These names are in DirX DAP DN format. |
|
NOTE: Enter the administrator password if prompted. |
If the directory your are connecting to enforces an anonymous access denial (bind), you can set the following registry value on all the EAM controllers and workstations to cope with this directory policy: HKLM\SOFTWARE[\Policies]\Enatel\WiseGuard\FrameWork\Directory\
AnonymousBindForbidden (REG_DWORD) = 0x01
|
IMPORTANT: This registry value must be set before starting the EAM Administration Tools (WGAdminTools). |
You can force EAM to use a given LDAP account to do requests on the directory server.
Make sure the dedicated user is created in your directory.
|
IMPORTANT: If you are using Active Directory, the user must belong to the "Domain Computers" group. |
The Administration Tools appears.
To use this account on a single workstation, do the following procedure:
The Administration Tools interface appears.
The Controller Configuration window appears.
Evidian provides a set of administration tools which allow you to:
This section details how to start and use the administration tools.
The Administration Tools window is a task-oriented interface that allows you to configure your EAM solution.
The EAM Installation window appears.
|
NOTE:
If the window does not appear, do the following:
|
The Administration Tools window appears.
Each tool that you can run from the Administration Tools window is a wizard that allows you to perform a specific operation during the installation process of the EAM databases.
The "Default objects creation" tool initializes the LDAP directory with default EAM objects.
Use this tool only if you are installing primary or associated EAM controllers.
Depending on your directory type, the Default Objects creation must be executed with:
The LDAP directory initialization wizard appears.
The wizard allows you to choose the administration mode.
The following window appears.
To extend the administration capabilities of the solution, click Activate advanced administration mode (for more information on advanced administration mode, see One Identity EAM Console - Guide de l'administrateur).
|
IMPORTANT:The advanced administration mode cannot be changed later. If this is a new installation, this mode is recommended. If you are upgrading, existing administration profiles will be migrated. |
This section describes how to use the Primary server initialization tool, which creates the EAM security database in the directory. For your security database you can choose either software or hardware protection.
The primary controller initialization wizard appears.
Filling in the Protection mode window
The wizard allows you to choose the protection mode for your security database.
The following window appears.
For more information on protection mode, see One Identity EAM Console - Guide de l'administrateur.
This section describes how to use the Associated controller initialization tool, which creates the EAM security database from the primary controller.
The Primary controller must be installed.
You must have the Security Module and its PIN code. It is strongly recommended to use the same security module as the primary server to allow administrators to manage several servers.
|
IMPORTANT: You must install Associated controllers only if you are implementing an EAM software architecture in a multi-domain environment. |
The associated controller initialization wizard appears.
This task is optional: if your organization needs to use smart cards or USB tokens which are not supported by EAM, you can import a personalization file in the LDAP directory, so that the use of specific smart card becomes possible.
|
NOTE: To know the list of standard smart cards supported by EAM, see One Identity EAM Release Notes. |
The token personalization file is an XML file provided by Evidian.
Make sure you have the appropriate token personalization XML file.
The wizard appears.
See Enabling the Self Service Password Request (SSPR) Feature .
This task allows you to import the public key of an external application into the EAM security directory, in order to allow EAM users to share their accounts with the external application. It is used for example to enable the Mobile E-SSO feature. For more information, see Mobile E-SSO Installation and Configuration Guide.
The public key must be available as a PEM file.
The wizard appears.
|
NOTE: If you are using Active Directory as the EAM security repository, when the wizard asks you to enter the login/password of an administrator account, use the account who is member of the Domain Admins group and that you have specifically created to install EAM. |
This task allows you to export the key of the primary controller to a secondary or associated controller. The server key is exported in an authentication description file and protected by password, then this key is imported into the secondary or associated server.
Before importing or exporting the controller key, make sure EAM Security Services are started.
The controller key management window appears.
The controller key management window appears.
All audit events received by EAM Controllers are stored in a local audit database. If several controllers are installed or if you plan to install several controllers, they must share the same audit database.
To achieve this, you can either:
The second solution provides the best performances. Indeed, the unavailability of the master audit database (for example during maintenance periods) does not prevent the collect of audit events from a workstation.
SQL scripts for creating the Audit V2 structure are available in the installation package, in the following folder: \TOOLS\WGSrvConfig\Support
These scripts are templates that you must analyze and adapt to your environment before executing them. If you need to store audit events in another type of database server than those listed below, please contact your Evidian representative.
|
IMPORTANT:
|
The following figure describes the use of a master audit database along with EAM:
All audit events received by the EAM Controller are stored in the local EAM audit cache (1). This local audit database prevents from losing audit events whenever the master database is not available.
The EAM Controller regularly uploads the content of the local audit cache to the master database (3), through a local OLE DB or ODBC driver (2). Once an audit record was successfully sent to the master database, it is removed from the local EAM audit cache.
|
NOTE:
|
If there are connection problems between the local and master audit database, then the EAM Controller can send the content of its local database to a designated delegate controller. The latter then stores this content in its local database to be sent to the master audit database. This requires additional configuration: see Windows registry at the end of this Section for more information.
|
IMPORTANT: f you plan to install MySQL server, read the following:
|
Install and configure the local audit database on the EAM primary controller.
Install a master audit database, using the same procedure as for the local audit database, as described in Creating Audit V2 Tables in an Existing Local Audit Database.
Configure the master audit database, as detailed in Defining a Master Audit Database.
|
IMPORTANT: You must install and configure the master audit database right after installing the first local audit database (the configuration of the master audit database is described in Defining a Master Audit Database |
Install and configure the local audit database on the other EAM controllers.
|
IMPORTANT: The wizard supports the following database servers:
|
The installation wizard appears.
When this window appears |
Do the following | ||
|
| ||
|
The wizard retrieves the necessary information from the existing database server.
|
|
IMPORTANT: If you create the audit V2 tables in an existing MySQL database, the connection to the EAM Controller is also set up by the wizard: the EAM local audit database is operational when the wizard completes. If the existing database installed on the EAM Controller is not a MySQL database, or if you want to set up the connection through the local OLE DB and/or ODBC driver, you must set up the connection parameters as detailed in "Setting up the Connection to the Local Audit Database". |
This section describes how to set up the link between the EAM Controller and the local audit database.
You have created the audit V2 tables as detailed in Creating Audit V2 Tables in an Existing Local Audit Database.
The wizard appears.
Provider tab: select the OLE DB provider corresponding to the data you want to access:
Database |
OLE DB Provider | ||
Microsoft SQL Server 2005 |
Microsoft OLE DB Provider for SQL server | ||
MySQL |
Microsoft OLE DB Provider for ODBC Drivers
| ||
Oracle |
Oracle Provider for OLE DB | ||
PostGreSQL |
Microsoft OLE DB Provider for ODBC Drivers
|
Connection tab:
|
NOTE: Enter the NETBIOS name if you want to use the Windows authentication. |
Select the authentication method to connect to the server:
- Use Windows NT Integrated security for Windows authentication.
OR
- Use a specific user name and password for a specific SQL account.
If required, provide the login and password used to authenticate to the data source.
Note: for Microsoft SQL servers, you can enter an:
- SQL account.
OR
- Active Directory account if you have selected the Windows Integrated Authentication.
Select the Allow saving password check box.
Select the database name that you want access (the database must exist).
These connection parameters are stored in the strongly encrypted area of the EAM configuration data.
|
NOTE: If you have selected the Windows authentication, you must enter the Active Directory account credentials to connect to the database, such as DOMAIN\loginName. |
|
IMPORTANT:When using the Windows authentication:The account password should never expire in order to allow the EAM controller to work continuously.If the account password is changed, the configuration must be re-executed. When changing the account password, the administrator must make sure the User must change password at next login check box is not selected. |
If necessary, restart EAM Security Services to take configuration changes into account.
This section describes how to set the master audit database connection parameters.
Provider tab: select the OLE DB provider corresponding to the database you want to access.
Database |
OLE DB Provider | ||
Microsoft SQL Server 2005 |
Microsoft OLE DB Provider for SQL server | ||
MySQL |
Microsoft OLE DB Provider for ODBC Drivers
| ||
Oracle |
Oracle Provider for OLE DB | ||
PostGreSQL |
Microsoft OLE DB Provider for ODBC Drivers
|
Connection tab:
Select the Data Source Name (DSN) of the configured ODBC driver (MySQL or PostGreSQL) or the server name (Microsoft SQL Server or Oracle) corresponding to the data you want to access.
|
IMPORTANT: if the wanted name does not appear in the list, the client database software (SQL server client, Oracle client, MySQL or PostGreSQL ODBC Driver) is not properly configured. Refer to the database documentation to configure it. When using an ODBC driver, you must select a DSN previously declared using the Microsoft ODBC Data Source Administrator tool (click Administrative Tools\Data Sources (ODBC) to start it). |
Select the authentication method to connect to the server:
OR
|
NOTE: For Microsoft SQL servers, you can enter an SQL account. If you have selected the Windows Integrated Authentication, enter an Active Directory account . |
Select the Allow saving password check box.
Select the database name that you want access (the database must exist).
|
NOTE: These connection parameters are stored in the strongly encrypted area of the EAM configuration data. |
|
NOTE: If you have selected the Windows authentication, you must enter the Active Directory account credentials to connect to the database, such as DOMAIN\loginName. |
|
IMPORTANT: When using the Windows authentication:
|
Select the name of the table where EAM audit events are to be stored.
For Audit V2, the name of the table to use in case of a master database is v_iamaudit or dbo.v_iamaudit for SQL Server.
If you want that the EAM Controller sends e-mails to database or security administrators whenever the master database reaches a size threshold, fill in the following fields:
E-mails are sent to the database administrator (with copy to co-administrators) once the master database reaches the specified size. Even though the master database reached the specified size, the EAM Controller still uploads audit events to the master database.
This area allows you to configure when EAM audit events are uploaded to this master database. Specify a fixed daily hour (for example at 02:00 everyday) or a frequency (every days, every 4 hours, every minute for example).
You may also indicate that local audit events should be uploaded to the master database as soon as the local SQL Server database reaches a maximum size. For this purpose, indicate the maximum size (in number of stored events) and how often EAM should check the size of the local audit SQL Server database (every 120 seconds for example).
Registry values regarding the configuration of the master audit database are located in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\FrameWork\
AuditMasterSrv
|
NOTE: If required, you can also set these two values in HKEY_LOCAL_MACHINE\SOFTWARE\Enatel\WiseGuard\ FrameWork\AuditSrv, which is the registry key related to the configuration of the local audit database. |
|
IMPORTANT: These values should only be used as an exceptional measure and only in case of slow network. |
The delegate controller must be configured, including the connection to its audit database(s). To avoid additional delays while viewing audit events gathered by the delegator controller, you should either:
One Identity recommends the second configuration (connect the Local database to the Central database with no defined Master database) as it avoids an additional delay between the generation of the audit event on a workstation and its availability for administrators using the Console.
This section explains how to import the audit events translation data, so that audit events can be easily read.
The Insert/Update Audit MetaData window appears.
The metadata XML file location field is already filled-in.
|
NOTE:
|
A confirmation window appears.
The Controller Configuration window appears.
|
IMPORTANT: The QRentry and Reporting Service functions can only be used with the EAM Web Service |
The Controller Configuration window appears.
The EAM Web Service is now secure.
By default, the super administrator is the user who created the database. However, you can select a specific user to be the Primary Administrator of the EAM solution.
The Controller Configuration window appears.
The selected user is now the Primary Administrator of the solution.
The E-SSO Provisioning connector enables the:
To enable this connector, you must set the admin login of the administrator account of the target application in the EAM console (see One EAM Console - Guide de l'administrateur) and associate it with a password, as described in the following procedure.
The following illustration details how the E-SSO provisioning connector works:
|
IMPORTANT: Password provisioning may slow down the sending of the login/password to the application. To avoid this, you can activate the window masking option in the application window (see Enterprise SSO - Guide de l'administrateur). |
The Controller Configuration window appears.
The administrator account is now created.
|
NOTE: If there are several accounts, they appear in the Login drop down list. |
To delete an account:
This section explains how to install an EAM Controller, which is made of the following components:
|
NOTE: To use EAM Console, EAM Controller must be installed on a computer. For more information, see EAM Architecture. |
Depending on your needs, you may install these two modules on the same workstation or separately.
The EAM Controller is delivered as installation packages using the Microsoft Windows Installer (MSI) format.
You can install this package:
The EAM Controller installation wizard appears.
|
NOTE: If the EAM Console installation wizard does not automatically appear, from the Authentication Manager or Enterprise SSO installation package browse the INSTALL directory and double-click ESSOController.msi. |
Follow the displayed instructions and the guidelines given in the following Controller Wizard Window Description section.
If you have installed Authentication Manager, the Authentication Manager authentication window appears.
To choose the components to install, click Custom in the Select Installation Type window.
The reporting service enables to generate PDF reports for:
The reporting service must be installed on a controller. As this is not a mandatory module, you can install one or several controllers with a reporting service. In that case, the administrator must specify which controller hosting the reporting service he wants to use to create reports. The PDF report files are then generated locally on the controller.
This reporting service connects to the:
|
IMPORTANT:
|
The following figure describes the use of a reporting service along with EAM:
The following elements/pieces of software must be installed and configured:
|
IMPORTANT: The EAM Controller must be installed before securing the Web Service. |
|
IMPORTANT: If the JRE is not installed when the Reporting Server installation starts, a window asking you to install the JRE will appear. Make sure to install the correct version: 32 or 64 bits. |
If you have a:
For the reporting service to operate correctly, you must check the values of some important MySQL parameters, such as:
|
IMPORTANT: To be persistent, these parameters must be customized by the database administrator in the MySQL initialization file in the [mysqld] section. |
The installation wizard creates:
|
IMPORTANT: The iar_wdb database does not need to be saved or dumped since it is temporary, whereas the iar_db database should be added to your own process of database backup. |
|
NOTE: These installation steps are executed by the SQL account used by the controller account. |
The Reporting Server installation wizard appears.
|
NOTE: If you did not install the elements described in Before Starting above, the installation wizard will ask you to install them and will then restart. |
When this window appears |
Do the following | ||
|
The wizard detects whether the following elements are installed and/or configured:
If all the ticks are green click Next, otherwise go back to Before Starting above to finish the configuration of the required elements/pieces of software. | ||
|
The wizard detects whether the reporting database is configured by checking if the following elements are created and/or configured:
Create these elements by clicking the corresponding Create buttons; if all the ticks are green click Next.
| ||
|
| ||
|
If you want to sign the generated PDF reports, fill-in the Signature certificate field. Click Next. | ||
|
Click Finish to close the Wizard and start the Reporting Server. |
To be able to execute the installation, you must first complete the following steps:
|
IMPORTANT: The iar_wdb database does not need to be saved or dumped since it is temporary, whereas the iar_db database should be added to your own process of database backup. |
The Reporting Server installation wizard appears.
|
NOTE: If you did not install the elements described in Before Starting above, the installation wizard will ask you to install them and will then restart. |
When this window appears |
Do the following | ||
|
The wizard detects whether the following elements are installed and/or configured:
If all the ticks are green click Next, otherwise go back to Before Starting above to finish the configuration of the required elements/pieces of software. | ||
|
The wizard detects whether the reporting database is configured by checking if the following elements are created and/or configured:
Click Set to connect to the Reporting databases with the ureport user. | ||
|
Enter the password of the ureport technical account, click OK and click Next if all the elements are checked. | ||
|
| ||
|
If you want to sign the generated PDF reports, fill-in the Signature certificate field. Click Next. | ||
|
Click Finish to close the Wizard and start the Reporting Server. |
© 2021 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy